As a best security practice, organizations typically impose a rigid password expiration timeline, forcing users to periodically change their passwords (e.g., 90 days) or lose access to all resources. If a user changes her password to a new password before the expiration date, the new password will enable the user to continue accessing resources for another period of time (e.g., 90 days). If, on the other hand, the user does not change her password before the expiration date, the old password will expire and the user will lose all access to previously-accessible resources. In some cases, the user will then have to request password reset from an IT helpdesk. Such an all-or-nothing approach to password expiration can lead to bad user experience as well as administrative cost to handle password reset requests.